Like the Titanic
The Titanic was said to be unsinkable and e-passports are supposed to be “unfakeable”. So e-passports like the Australian passport have a chip in them (thankfully, NZ passports don’t have the dreaded chip…yet). But it seems microchipped passports can be cloned in a matter of minutes – quell horror! Worse: the computer software designed to sniff out a fake and set off lights, bells and whistles was completely duped by the fake passports.
Of course, microchipped passports were introduced to deter terrorists and criminals. The Times decided to do a cunning test to see if they could expose flaws in the security system used at international airports. The Times had a computer expert clone the chips used in two British passports and implant digital images of Osama bin Laden and a suicide bomber. I’ve blogged before on biometrics and potential flaws but when you read that the passport with the altered chip and image of Osama bin Laden breezed through the security system and was recognised as genuine by the passport scanning software, Golden Reader – well, not sure whether to laugh or be REALLY worried. The passport scanning software is endorsed by the UN Agency that sets the standards for e-passports.
The researcher who cloned the passports used simple equipment: a publicly available programming code; his own software; £40 card reader and two £10 RFID chips and he took only a few hours to produce the bogus passports, which included deciphering the encryption key used in e-passports. It gets even better: the fake Osama passport used a baby boy’s microchip and the passport of a 36-year old woman was altered to show the image of Hiba Darghmeh, a Palestinian suicide bomber who killed three people in 2003.
An e-passport microchip contains vital information: a person’s name, date of birth, gender, place of birth, issue and expiration dates, and the person’s passport photo. And when the passport is within a few centimetres of a passport scanner, all this information is revealed. But since RFID signals are used, it’s quite possible that a portable scanner could be used to read the e-passport say as it’s being carried by someone through an airport. The RFID chip is encrypted (ie locked) but as The Times clearly demonstrated, a computer expert with basic equipment can decipher the key. As technology and hackers get more powerful, I’m sure that Governments will demand that microchips also contain fingerprints and iris scans.
So this is far from secure as a so-called deterrent to terrorists and criminals. 3,000 blank passports were stolen recently in the UK and authorities said don’t worry they can’t be faked – yeah, right. And we know that databases are never 100% secure, so the whole e-passport thing has me pretty freaked. I see no valid reason for handing over our iris scans, fingerprints, and putting out whole identity onto a microchip – when the real reason behind all this is simply to herd us onto a central database that will be shared by Governments around the world.
There are other ways to ensure a passport is genuine. Blogdial has a pretty sensible suggestion:
- Each passport or ID document contains a cryptographically signed digital portrait of the holder, signed by the passport issuing authority.
- When your passport is swiped, your picture comes up on the screen, loaded from the passport, and NOT a central database
- The digital signature of the passport photo is also downloaded.
- A PGP-like signature check is done against the public key of the national passport issuing authority, which is stored on the keyring of the swiping device.
If the signature is good, the document is genuine. If the signature is bad, the document is a forgery.
This system does several things.
- It decentralizes the management of photo authentication.
- It stops the inevitable abuses of centralized databases.
- Each passport photo is digitally unique. This means that every time that you get your photo taken for your passport, it is a different cryptographically signed number that ends up in your passport. You will never have a unique identifier tied to your identity, even though its your face in every photograph.
- Big brother gets a kick in the balls.
- Passport/ID fraud is basically eliminated, except for the fake ones made to order at the request of MI6 and the like.
I was watching Blue Hawaii yesterday (yep, the 1960s Elvis film) and I had to chuckle when two women met the plane carrying Elvis on it. They rushed onto the tarmac and waited by the steps that were put into position to let the passengers disembark. Other people were waiting behind fences just near the plane. I well remember Sydney airport – my father and I used to go there on Sundays to stand on the roof of the airport building to watch the planes take off and land (he was after all a fighter pilot and this was back in 2000 BC!!).
Can you imagine if you tried to do this today? You’d be hauled off so fast and never seen again.